A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some scripts, Debian-based Linux distributions are included as well. The worm and ransomware scripts also use the API of the messaging application Telegram for command-and-control (C&C) communication. The “downloader.sh” is an SSH worm that accepts base64-encoded configuration credentials as an argument. These credentials would either be dumped by the attacker after the initial foothold on a victim’s systems or used as a brute-force list that targets systems with weak password protection. Essentially, the malware checks if the given configuration is set to use an SSH password attack or an SSH key base attack — it can also test SSH passwords or SSH keys against the targeted IP address. Upon successful connection, the malware downloads and executes ransomware on a remote system.